Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvement: otterdog extended configuration with branch protection #33

Open
sameer6989 opened this issue Dec 5, 2024 · 2 comments
Open

Improvement: otterdog extended configuration with branch protection #33

sameer6989 opened this issue Dec 5, 2024 · 2 comments
Assignees
@sameer6989
Labels
infrastructure General Score infrastructure topics

Comments

@sameer6989
Copy link

sameer6989 commented Dec 5, 2024
edited by ltekieli
Loading

Important

Make sure to link this issue with the PR for your improvement.

otterdog configuration needs to be extended with branch protection rules. It needs to be consider what kind of approach will be taken: rulesets, branch protection or combination of both.
(This is a duplicate of otterdog issue since it was not assignable to me(@sameer6989))
@ltekieli ltekieli added the infrastructure General Score infrastructure topics label Dec 5, 2024
@ltekieli ltekieli mentioned this issue Dec 5, 2024
Closed
@ltekieli ltekieli mentioned this issue Dec 13, 2024
Closed
@AlexanderLanin
Copy link
Member

@sameer6989 can you update the issue with what exactly we need to do? Or can be close it?

@sameer6989
Copy link
Author

Below is a draft that could be improved and implemented for Otterdog config and contains considerations while making further additions to the Otterdog config.

To add branch protection rules to the Eclipse Score repositories in Otterdog, we need to decide between the following approaches:

  1. Using GitHub Branch Protection Rules

    • Provides direct protection for specific branches (e.g., main).
    • Useful for mandatory status checks, commit restrictions, and PR approvals.
    • Applied at the repository level.

  2. Using GitHub Rulesets (Preferred for Scalability)

    • Allows defining rules once and applying them across multiple repositories.
    • Supports complex conditions like targeting multiple branches with different rules.
    • Rulesets can be enforced for organizations or repositories.

  3. Combination of Both Approaches

    • Use rulesets for broad policies across repositories.
    • Use branch protection rules for exceptions (e.g., special branch policies in some repos).

Recommended Strategy: Use Rulesets for Standardization

To maintain consistency across repositories, we should:

  • Define a default ruleset for all repositories.
  • Customize repository-specific rules using branch protection when needed.

Implementation in Otterdog

1. Define a Default Ruleset

(sample code below)

orgs.newRepoRuleset('default-ruleset') {
  include_refs+: [
    "refs/heads/main",
    "refs/heads/feature",
  ],
  required_pull_request+: {
    dismisses_stale_reviews: true,
    required_approving_review_count: 2,
    requires_code_owner_review: true,
  },
  required_status_checks+: [
    "ci-build",
    "unit-tests",
    "linting"
  ],
  restrict_pushes+: {
    allow_deploy_keys: false,
    allow_force_pushes: false,
    allowed_users+: [
      "repo-admin"
    ],
  },
},

2. Apply Rulesets to Repositories

Modify each repository to include the new ruleset: (sample code below)

orgs.newRepo('score') {
  allow_merge_commit: true,
  allow_update_branch: false,
  code_scanning_default_languages+: [
    "python"
  ],
  code_scanning_default_setup_enabled: true,
  description: "Score project main repository",
  gh_pages_build_type: "legacy",
  gh_pages_source_branch: "gh-pages",
  gh_pages_source_path: "/",
  has_discussions: true,
  homepage: "https://eclipse-score.github.io/score",
  topics+: [
    "score"
  ],
  rulesets: [
    orgs.newRepoRuleset('main') { include_refs+: ["refs/heads/main"] },
    orgs.newRepoRuleset('default-ruleset'),
  ],
  environments: [
    orgs.newEnvironment('github-pages') {
      deployment_branch_policy: "all"
    },
  ],
},

3. Repository-Specific Branch Protection (Optional)

If a repository needs different rules, we apply them directly: (sample code below)

orgs.newRepo('inc_mw_per') {
  allow_merge_commit: true,
  allow_update_branch: false,
  code_scanning_default_setup_enabled: true,
  description: "Incubation repository for persistency framework",
  homepage: "https://eclipse-score.github.io/inc_mw_per",
  rulesets: [
    orgs.newRepoRuleset('main') { include_refs+: ["refs/heads/main"] },
    orgs.newRepoRuleset('default-ruleset'),
  ],
  branch_protection+: {
    "main": {
      required_approving_review_count: 3,
      enforce_admins: true,
      restrictions+: {
        users+: ["lead-dev", "repo-admin"],
      },
    },
  },
},

Final Considerations

Standardization: Using rulesets ensures uniform policies across repositories.
Flexibility: Repository-specific branch protection rules allow exceptions.
Security: Enforces PR approvals, status checks, and restricted pushes.
Config playground: Ensure that the changes made to the config works correctly by checking it in the playground

Since the Otterdog config has already been made, we can close this ticket and can come back to this document if a reference is required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sameer6989 sameer6989

Labels
infrastructure General Score infrastructure topics
Projects
Operational (Tooling/Infrastructure)
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ltekieli @AlexanderLanin @sameer6989